Threat of the Week: The Smishing Hype Alert

The threat is terrifying. Mobile phones are carpet bombed with rogue SMS messages that direct credit union members to criminal websites where their personal information is captured – and then their accounts are looted. There’s the frightening scenario.

It is built on a technically sound bedrock.

Since we often don’t see full URLs in SMS messages, we frequently click on Web links with abandon and therein lies the opportunity for a crook. Send an SMS, dupe the victim into clicking into a bogus edition of a credit union or bank site, and when the victim logs in, bingo, the thief has the credentials to loot the victim’s account.

Even the Better Business Bureau has climbed aboard this fright train with a loud warning to consumers to guard against so called “smishing” (a mashup word mixing SMS with phishing, the tried and true email credentials scam – and, yes, phishing remains a huge problem).

It’s enough to make a person afraid to even glance at an incoming SMS.

Potentially, for credit unions in particular, this is horrific news because many increasingly rely on SMS to send account alerts to members and also for multi-factor authentication logins. Given the ubiquity of cellphones (even cheap feature phones are SMS capable), it’s a convenient communication channel and that of course also makes it prime for thieves whom, if we believe the hype, are already furiously mining this path to stolen riches.

Just one problem: The smishing scare has all the substance of a Halloween ghost.

George Tubin, an expert with security firm Trusteer, said in an interview, “People on mobile devices usually can’t see full URLs and crooks are embedding links into SMS. Those links can bring folks to a very sophisticated phishing site”

“This definitely is not up there with Zeus,” the keylogging malware that has led to the compromise of millions of bank accounts globally.

“The potential is there and, certainly, we see more focus on the mobile channel by fraudsters. But we still aren’t seeing much smishing,” said Tubin.

Jonathan Weber, founder of Marathon Studios, a consulting company, said he has been doing in-depth study of malware and a conclusion he has reached is that “the level of SMS-based phishing attempts has not been anywhere near as significant as it could have been.”

He stressed that, in his eyes, the threat is real. “Most people cannot recognize SMS malware and there are no SPAM filters that sift it out,” he said, alluding to the fact that filters built into email search for and destroy countless phishing emails daily, before the intended targets ever see them. With SMS, it remains a Wild West, where every user stands on his/her own, but despite that the fact remains that incoming tainted SMS remains small in volume.

Daniel Ayoub, a threats expert with Dell SonicWALL, echoes the chorus. He too sees a sizable potential danger in smishing, “but I have not seen that much of it, there’s been no uptick in volume.”

He added, “Most criminals are lazy. They go for the low-hanging fruit.”

What’s a credit union to make of this? Experts pointed to two big takeaways and the first is that the potential for a boom in smishing unquestionably is real and it is ugly. Today’s incidence – hype aside – may be minimal but that could change as criminals seek to diversify out of Zeus and into more mobile-focused attack vectors that resonate with the broader shift away from online banking and into mobile.

The other takeaway: Now is the time to begin to educate members about the credit union communications they will see via SMS and what they will never see. Tell them they will never get an SMS instructing them to “re-authorize” their account by clicking on a link in SMS and entering their login credentials – then tell them that again. And again.

And it is the kind of member education that will pay off when in fact smishing finally goes mainstream ... which it probably will.

Just not yet, which means credit unions have ample time to lay in their defenses to better protect themselves and their members.